标签为 iptables 的文章

将RHEL的iptables管理脚本迁移到Ubuntu

Ubuntu的默认防火墙管理工具是ufw,它是一个通过Python实现的工具,最终也是转换为iptables命令实现防火墙规则过滤的。
但有一点比较令人讨厌的是,ufw默认启用了非常多的规则,且配置文件非常不便于配置。
而对于习惯于直接通过iptables指令来设置防火墙规则的管理员,RHEL的iptables脚本管理方式就非常的干净利落。

但是直接将RHEL上的iptables脚本拿到Ubuntu下,是无法正常运行的,需要做很多的修改。

以下是相关步骤:

1.创建配置文件iptables-conf
$ sudo mkdir /etc/sysconfig
$ sudo vim /etc/sysconfig/iptables-config

# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"

2.创建规则命令文件iptables(以我的Blog为例)
$ sudo vim /etc/sysconfig/iptables
阅读全文 »

, ,

No Comments

共享一个Iptables数据转发与端口映射的脚本

lan_subnet=192.168.1.0/24
web_addr=192.168.1.20
wan_addr=$(ifconfig eth0 |grep "inet addr" |awk -F: '{print $2}' |awk '{print $1}')
lan_addr=$(ifconfig eth1 |grep "inet addr" |awk -F: '{print $2}' |awk '{print $1}')

iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -A FORWARD -s ${lan_subnet} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -d ${wan_addr} -p tcp --dport 80 -j DNAT --to ${web_addr}:80
iptables -t nat -A POSTROUTING -d ${web_addr} -p tcp --dport 80 -j SNAT --to ${lan_addr}
 
iptables -t nat -A POSTROUTING -o eth0 -s ${lan_subnet} -j MASQUERADE

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

sysctl -w net.ipv4.ip_forward=1

2 Comments